diff options
| author | Fabian Kosmale <fabian.kosmale@qt.io> | 2022-10-12 09:02:40 +0200 |
|---|---|---|
| committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2022-11-14 17:29:27 +0000 |
| commit | 8cb2d8095f451392a9647458a2cda20d7e3d4a09 (patch) | |
| tree | e6b6658b4cc246a6af77e36e5ae1c95bb0e61d4d /src/qml/jsruntime/qv4functionobject.cpp | |
| parent | df9bd9ee2fdf48cb08a8fb5d662a7c92674b10fa (diff) | |
QV4: Avoid memory corruption in Reflect.apply
This extracts the check from Function.prototype.apply into a shared
function, and uses it in Reflect.apply, which has the same issue.
Task-number: QTBUG-107619
Change-Id: I899464c86554f9bbb5270a95bbe3fe27531e9a27
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
(cherry picked from commit 0e963a53c04b0dbe172cfb495b4d62dc8e2f31a3)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Diffstat (limited to 'src/qml/jsruntime/qv4functionobject.cpp')
| -rw-r--r-- | src/qml/jsruntime/qv4functionobject.cpp | 11 |
1 files changed, 3 insertions, 8 deletions
diff --git a/src/qml/jsruntime/qv4functionobject.cpp b/src/qml/jsruntime/qv4functionobject.cpp index ae21326705..b103e4c5ec 100644 --- a/src/qml/jsruntime/qv4functionobject.cpp +++ b/src/qml/jsruntime/qv4functionobject.cpp @@ -387,15 +387,10 @@ ReturnedValue FunctionPrototype::method_apply(const QV4::FunctionObject *b, cons if (!arr) return v4->throwTypeError(); - const qint64 len64 = arr->getLength(); - if (len64 < 0ll || len64 > qint64(std::numeric_limits<int>::max())) - return v4->throwRangeError(QStringLiteral("Invalid array length.")); - if (len64 > qint64(v4->jsStackLimit - v4->jsStackTop)) - return v4->throwRangeError(QStringLiteral("Array too large for apply().")); - - const uint len = uint(len64); - Scope scope(v4); + const uint len = v4->safeForAllocLength(arr->getLength()); + CHECK_EXCEPTION(); + Value *arguments = scope.alloc<Scope::Uninitialized>(len); if (len) { if (ArgumentsObject::isNonStrictArgumentsObject(arr) && !arr->cast<ArgumentsObject>()->fullyCreated()) { |